This week, special guest Helve Longoria, the CISO at Florida International University (FIU) joins Tony and Rob on the discussion of FIU needing a CMMC assessment. Together the three discuss what Level of certification FIU will need, and what kept Helve up at night when first finding out about CMMC.
>> Do you have CMMC questions of your own? For more CMMC resources and/or to speak with a CMMC advisor directly, click here.
LAUREN FRICKLE (HOST): Welcome to Cyberspin, the podcast that brings you expert insights to today’s hot topics in cybersecurity, privacy and compliance for highly regulated industries. Subscribe to Cyberspin on Apple, iTunes, Spotify or your preferred podcast platform and a transcript of each episode can be found at www.Redspin.com.
Hello, welcome back to Cyberspin. I’m Lauren Frickle, I’m excited to introduce this episode as we have a special guest joining Robert and Tony. In this episode. Helve Longoria, the CISO at Florida International University, also referred to as FIU, joins us and FIU is an organization in need of a CMMC assessment.
First a little about Helve and FIU. Helve is the Chief Information Security Officer at Florida International University. She oversees all aspects of cybersecurity at FIU, including but not limited to end point security, network security, incident response, cyber risk management, two factor authentication, remote access, vulnerability management, and security awareness and FYI is Miami’s public research University focused on student access. FIU is a top US research University. It’s an R1 with more than $200 million in annual expenditures. FIU ranks 15th in the nation among public universities for patent production, which drives innovation and is one of the institutions that helped make Florida the top state for higher education.
With that, let’s get started with the episode and talk with Helve on her organization’s need for a CMMC assessment.
Hey Rob, how’s it going?
ROBERT TEAGUE: Hello, I’m happy to be here with Helve from FIU. Helve, thank you for joining us. We’ll jump right into the first question. How did you first learn about CMMC?
HELVE LONGORIA: So, Rob, I heard about CMMC through some higher Ed education groups that I belong to, so a lot of us in the higher Ed community are talking about this, and I’m looking at this because it’s new to us and it’s all over some of our discussion groups.
ROBERT TEAGUE: OK, so all about CMMC and the different levels of what level you need?
HELVE LONGORIA: I’m a little familiar with CMMC I’ve started to do my research on it. I do know that I need to be at a minimum of a Level 3. I do need to do a little bit more digging on what it takes for us to go from a Level 3 to Level 4 and 5, but that’s more in the long term. However, I still have questions on how we go about getting this certification and how it has to be by a third party, so what are the building blocks we need to get to that point? I think it’s really where I’m at right now.
ROBERT TEAGUE: Right, and I know we had a discussion before, but I wanted you to kind of express cause I’m sure you’re not the only Chief Information Security Officer out there that’s feeling this. But what would your thoughts when you first heard that you had to do CMMC?
HELVE LONGORIA: “Wow”, HAHA. Well, I was like we’re just coming out of the NIST 171, right? Now that we have to have all these access controls for research and for my data and now, we have CMMC and first, I was like how is this going to differ from what we’re already doing with 171? Is it just additional controls or is it completely something different in addition to that? So that’s really where I was when I first heard about it and I was also concerned about the timelines, right? Because if it’s an aggressive timeline, there’s a lot of work that needs to be done.
ROBERT TEAGUE: Yes, and I’m glad you brought that up. Tony and I have been talking about that during the series. You know, it’s best to start preparing now, even though it may be down the road. But the more you’re ahead of the game the better.
So, have you guys already started setting aside resources and personnel, etc.…?
HELVE LONGORIA: No, so resources and personnel are going to be a challenge.
I think that’s probably going to be our biggest challenge. I think the technology is there and the understanding, and we can get up to speed really quickly on what exactly CMMC entails, however, resources are going to be a challenge.
They’re challenged today even without it, so I think that’s a challenge that we face, and I believe other universities are going to face the same problem.
ROBERT TEAGUE: Yeah, I’m sure everybody is in that boat and Tony I don’t know if you will jump in and explain a little bit about the CMMC Level 3 certification.
I know Helve has done her homework, but maybe there’s some tips you can give her for prepping.
TONY BUENGER: Yes, yeah. She’s absolutely right. As an R1 University, she will be dealing with CUI directly, so she’s a minimum Level 3 and she’s finding out there’s a big difference between a Level 1 and a Level 3 that requires additional controls from the 800-171 20 controls, and plus those processes. I know that she’s familiar with those processes that you need to meet, those processes which are kind of still kind of murky/up in the air, I know the DoD and the CMMC accreditation body are still talking about how those processes will be assessed, and we’re working on that as well. You know, Rob you and I’ve been talking about that is how do we assess those processes? There’s a lot of questions around that. Going to Level 5,
as soon as you may or may not be aware, there are increased levels of certification, Levels 1,3, and 5, 2 and 4, are transitions to that upper Level. Level 5 and you know, my previous organization was an R1 University and as that level of research University, you may require a Level 5. Definitely Level 3 Level 5. The difference between the two is more automation really level 5 is designed to protect against advanced persistent threats such as the SolarWinds breach. And that’s why we’re hearing a lot about Level 5 now is because that Level is designed to protect against or minimize risk against APTs that requires more automation as I just mentioned. For example, a 24/7 S.O.C (Security operations center), Now, that doesn’t mean you have to man a S.O.C 24/7. You may already have that. That’s fine, but you can outsource it as long as you got that 24/7 incident response capability. And that’s just one example,
ROBERT TEAGUE: Some folks out there may not know or be familiar with Florida International University, but you also have a medical side of the college, right?
And so annually, you’re already doing risk assessments on your network looking at your security program, so you’re probably well ahead of most folks that are sitting out there that are.
HELVE LONGORIA: Yeah.
ROBERT TEAGUE: They’re just realizing what CMMC is, so actually you’ve already got a foot in the door, so I don’t think it’s going to be too much for you on the side of CMMC, but a Level 3 is definitely more aggressive than a Level 1 certification.
So, the other piece about that is, does anybody else within your staff know about CMMC? Are they preparing for it as well?
HELVE LONGORIA: Sure, so my team has been briefed on CMMC and we were already working on the NIST 171 and CUI typed research assessments so we were very familiar with that and it’s just now bringing this next year into the equation to make sure that we can address any other controls that we might be lacking. At this point, you know, even now we’re going through some of the grant agencies have been giving us. We have to do the self-assessment gearing up for the CMMC you know in the next couple of years, so we are, in this. We’re all in, you know.
And again, I, I think it’s great for our institution to try to be at the highest level possible to, you know, keep our doors open for potential research grants and, our researchers do great things and great work. So, I’m here to facilitate that and make sure that their information stays protected and secure.
ROBERT TEAGUE: Awesome, yeah, and that’s why we were excited to have you on board because of your knowledge and you know the things that you deal with.
It just spreads this big gamut that most folks, it’s just their little network.
They only worry about what their core function is. But at the university, you’ve got several core functions that you have to maintain, and each has a different type of security protection level or something that goes with it.
HELVE LONGORIA: Absolutely. Yeah, that’s true.
ROBERT TEAGUE: It was very important for us and I kind of tipped, the scales on our last podcast that you were going to be coming on board with us, and so hopefully everybody is enjoying the conversation
TONY BUENGER: Your University, is it very distributed?
HELVE LONGORIA: No. One of the big advantages that I have over some of my counterparts is that we have a central IT, and we manage end-to-end our network and our security and our and our endpoints are managed by central IT.
TONY BUENGER: Wow, that’s good cause you know, a lot of universities.
Each college has its own IT director or some of their own CIOs and that is almost impossible.
HELVE LONGORIA: Yeah, yeah, and here we have our own. Colleges have IT directors or admins, but they’re more localized at the college for applications that the college needs, but then they come back to the enterprise for these enterprise resources, right? The network, the security, that’s all funneled by the enterprise on the top.
ROBERT TEAGUE: Which was something that, if I’m not mistaken, Helve, you weren’t like that before. This is something you have really since landing on board, as the CISO has really structured over the last couple of years.
HELVE LONGORIA: Well, I mean we’re talking specifically, it wasn’t like that for our HIPAA environment. So, everything was very managed with the different areas that had HIPAA and it would you know, or even from their policies and the procedures works very, you know, focused on those areas, but one of our efforts in the last three years has been to bring that to the enterprise and make that centralized that everybody runs by the same playbook. We’re all using the same policies, the same incident response process, because it’s important for us to have that oversight at the end of the day, we’re one institution we are one legal entity, right? So, it was very important for me to have that visibility, and for my counterparts and my coworkers to also have that perspective.
ROBERT TEAGUE: So, let me ask you Tony, because I’m sure Helve, and many others are thinking this that you know they already do annual risk assessments with third party vendors. So as part of their gap assessment for setting the scope for this CMMC certification, can they send you those reports that they have as a starting point?
TONY BUENGER: Yes, they should send those to us as a starting point. Absolutely you look on the CMMC websites with their guidance. That’s one of the artifacts that they want to have presented to assessors. Obviously, they want to have the SSP, the system security plan, your NIST 800-171 score from your input to your SPRS. And plus, they want a copy of your last risk assessment and for assessors that gives us a good baseline to go on to get a kind of a feel for where you are when it comes to helping you plan for for an assessment.
ROBERT TEAGUE: Yeah, and so Helve, kind of the difference of, you know, a traditional risk assessment versus the CMMC certification process is, well, you know we come out and we start doing the assessment. It’s a go or no go. Yes, you passed when you didn’t, so you just need to be prepared for that.
But how did you really hear about us at Redspin?
HELVE LONGORIA: I heard about Redspin from the conversation I was having with you on a different topic.
ROBERT TEAGUE: OK, ha-ha, so word of mouth, I like it.
HELVE LONGORIA: Word of mouth yes.
ROBERT TEAGUE: Yes, so for our listening audience I just happened to be doing the assessment with Helve and I’m going to let you go into detail on this Helve, because it’s very important that the stress I saw in your face when I mentioned CMMC.
Do you remember that conversation?
HELVE LONGORIA: Yes, I do
ROBERT TEAGUE: Yes, you were like “Rob, it’s keeping me up at night”.
HELVE LONGORIA: Yes, I mean we were just talking wrapping up some other details from our other assessment and we just started talking about it. And when you mentioned to me that you had, you know Certified Assessors, I was like I really need to get more information because from where I stand you know I’m trying to do as most research as I can about the CMMC who does these certifications cause this is not like NIST 171 that you know we have the controls and we know what we’re putting in place, but what mitigating controls we may have in the documentation, 0f course, but you know this is a lot more complex.
So definitely when you mentioned it to me, you just took a lot of weight off my shoulders because I need somebody that I can work with and that we can go through the process because even from like you mentioned the Level 1 to Level 3 there’s a difference, right? And to get us to the Level 5 it’s a completely different gamut, and we’re talking about more automation. And how do we get that? Where do we start and what’s the timeline to get there?
ROBERT TEAGUE: Right exactly Just so everybody else knows, all of our listeners.
You can also go out to the CMMC marketplace so Tony, any other last-minute information to pass on to Helve as she prepares for her assessment and engagement as we wrap this up today?
TONY BUENGER: The only thing I’d like to ask you is how are you segmenting the CUI environment? How difficult are you seeing that as a task to get prepared for Level 3?
HELVE LONGORIA: Yeah, it is very difficult. Right now, we are doing it based on projects or grants that come in and we segment those workstations and there’s some devices that are being used for that type of research, so it’s really per project, right? We don’t have an environment that is a CUI storage a CUI complete environment. However, you know, looking at some of the controls and seeing other compliance efforts and relations, we have to meet. We’re not far from the to make the enterprise get to that standard right. If we’re talking about encryption and different levels of encryption for storing the data and how users access these systems and the information you know, and that’s a conversation that I would also you know, welcome with with your team. Can we do an enterprise or are we really just over expanding and making this more complicated to have all these controls riding on top of the whole institution as our best practices, right or are these the FIU standard for security? Because I’ve always been of the mindset that I’d like to go with the more rigorous standard because then everything that comes after will kind of proceed, and that’s where I originally was with my mindset with the NIST 171. But now with CMMC, that’s a different conversation.
TONY BUENGER: You are exactly right, you definitely don’t want the entire University in scope for this CMMC assessment, so it sounds like you’re doing what you can to segment that your CUI environment too, that right now is per project and you may find it is getting more and more projects.
You may just want to build that virtual or this physical and/or physical, you know, secure CUI environment. Your kind of doing that now.
So, and you’re probably finding that’s probably one of the most resource-intensive activities. Getting ready for a Level 3 assessment is properly protecting, that CUI
ROBERT TEAGUE: Yeah, well you know as technical engineers’ segmentation is not easy anyway right?
TONY BUENGER: No, it is not, and segmentation is more than just the technical as we know, it’s about training the people, getting the right accesses is to the people who are actually storing, processing and disseminating or transmitting. CUI so it’s more than just the technical endeavor.
HELVE LONGORIA: Yeah, I mean along with that we we talked a little bit about resources, right resources is also going to be a key key both from a software hardware and technical resources, as well as people resources, because in some of the situations some of the equipment and devices, some of these researchers may be using are not the most secure or more the most up-to-date devices, so that is also a play in the conversation is how do we get the funding to provide them with upgrades to these devices right? In order for them to be able to meet the standards to security for securities that their data and their research.
TONY BUENGER: It’s obvious you’ve done your homework and then you know there’s still more homework ahead. There’s still more lessons to learn coming from that academic institution. You know you have a lot more homework and that’s just the nature of this beast we call CMMC.
HELVE LONGORIA: Yeah, absolutely.
ROBERT TEAGUE: Still growing love it. All right, well with that Helve thank you and Florida International University for letting us borrow you for this session.
It’s always a pleasure talking with you, but more important today, all the different concerns that you bring to us about CMMC cause there’s many out there that are afraid to ask those questions or talk about it. So, we appreciate you joining us.
HELVE LONGORIA: I’, looking forward to more conversations around this very critical topic for us. I’m looking forward to collaborating with you in the future.
ROBERT TEAGUE: Indeed, sounds like we got us a new participant on the podcast.
HELVE LONGORIA: Thank you, thank you.
ROBERT TEAGUE: Thank you again for joining another episode of Cyberspin. CMMC-AB is continually adding to the CMMC process and slowly each day is uncovering more details as time goes on and we here at Redspin are fortunate enough to have Tony with us who’s on the front edge of that knowledge as it comes out firsthand. So, I encourage all of our listeners to stay tuned to Cyberspin to keep up with the latest developments and information.
And please don’t forget to share this podcast with those that you may think could benefit from the information and discussions, especially, you know when we have a prominent CISO, like Helve joining us because she’s talking about topics that many out there are experiencing.